CRISC · Question #310
CRISC Question #310: Real Exam Question with Answer & Explanation
The correct answer is A: Risk owner. When a documented and accepted risk materializes, the designated risk owner is accountable for the resulting losses as they are responsible for managing and accepting that specific risk.
Question
An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?
Options
- ARisk owner
- BIT risk manager
- CServer administrator
- DRisk practitioner
Explanation
When a documented and accepted risk materializes, the designated risk owner is accountable for the resulting losses as they are responsible for managing and accepting that specific risk.
Common mistakes.
- B. An IT risk manager facilitates the overall risk management process, but they are typically not the ultimate accountable party for specific accepted risks; that falls to the designated risk owner.
- C. A Server administrator is responsible for the technical implementation and maintenance, including patching, but if the risk of poor patch management was accepted by a higher authority (the risk owner), the ultimate accountability for losses lies with the risk owner, not the implementer.
- D. A Risk practitioner identifies, assesses, and reports on risks, but they do not typically own or accept risks; their role is advisory and facilitative within the risk management framework.
Concept tested. Risk ownership accountability
Reference. https://www.isaca.org/resources/isaca-journal/issues/2023/volume-3/risk-ownership-in-the-digital-age
Topics
Community Discussion
No community discussion yet for this question.